Parent base class for filters and actions.
properties: state: type: boolean type: enum: - query-logging-enabled required: - type
Permissions - route53:GetQueryLoggingConfig, route53:GetHostedZone, logs:DescribeSubscriptionFilters
Base class with helper methods for dealing with ARNs of resources protected by Shield
properties: state: type: boolean type: enum: - shield-enabled required: - type
Permissions - shield:ListProtections
Action to delete Route 53 hosted zones.
It is recommended to use a filter to avoid unwanted deletion of R53 hosted zones.
If set to force this action will wipe out all records in the hosted zone before deleting the zone.
policies: - name: route53-delete-testing-hosted-zones resource: aws.hostedzone filters: - 'tag:TestTag': present actions: - type: delete force: true
properties: force: type: boolean type: enum: - delete required: - type
Permissions - route53:DeleteHostedZone
Enables query logging on a hosted zone.
By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.
Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.
This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.
Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention
policies: - name: enablednsquerylogging resource: hostedzone region: us-east-1 filters: - type: query-logging-enabled state: false actions: - type: set-query-logging state: true
properties: log-group: default: auto type: string log-group-prefix: default: /aws/route53 type: string set-permissions: type: boolean state: type: boolean type: enum: - set-query-logging required: - type
Permissions - route53:GetQueryLoggingConfig, route53:CreateQueryLoggingConfig, route53:DeleteQueryLoggingConfig, logs:DescribeLogGroups, logs:CreateLogGroup, logs:GetResourcePolicy, logs:PutResourcePolicy
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties: state: type: boolean sync: type: boolean type: enum: - set-shield required: - type
Permissions - shield:CreateProtection, shield:ListProtections